Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue #5019 - hot-reload SSL certificates if keystore file changed #5042

Merged
merged 12 commits into from Jul 15, 2020
Merged

Issue #5019 - hot-reload SSL certificates if keystore file changed #5042

merged 12 commits into from Jul 15, 2020

Conversation

lachlan-roberts
Copy link
Contributor

Issue #5019

Added an ssl-reload module which uses Scanner to monitor the keystore file registered with the SslContextFactory and reloads the keystore file if it detects any changes.

@lachlan-roberts
Issue #5019 - add class to do SSL keystore hot-reload in new module
24d0e50 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts
Issue #5019 - add testing for the SslKeyStoreScanner
13e034f 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts
Issue #5019 - add jetty module files and xml to use ssl-reload with s…
f348734 
…tart.jar

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts
fix issues with the ssl-reload module
80f09e1 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts
use WorkDirExtension in KeystoreReloadTest to fix failing tests on je…
dc91f69 
…nkins

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts
generalize the exception type tested in KeystoreReloadTest
0705d8e 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@sbordet
Copy link
Contributor

sbordet commented Jul 13, 2020

@lachlan-roberts please redo this PR as follows:

  • remove the Maven module jetty-ssl-reload as it is only 1 class
  • move the Jetty module jetty-ssl-reload.mod to Maven module jetty-server, where the other SSL Jetty modules are
  • class and test cases should be in jetty-util.
  • add a test where the keyStore file is a symlink and change the target of the symlink

sbordet
sbordet requested changes Jul 13, 2020
View reviewed changes
Copy link
Contributor

@sbordet sbordet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See PR comment.

@lachlan-roberts
move code of ssl-reload module to jetty-util, move module files to je…
62ee077 
…tty-server

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts
add tests in KeystoreScannerTest for changes with symlinks
b036439 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts
Copy link
Contributor Author

  • remove the Maven module jetty-ssl-reload as it is only 1 class
  • move the Jetty module jetty-ssl-reload.mod to Maven module jetty-server, where the other SSL Jetty modules are
  • class and test cases should be in jetty-util.
  • add a test where the keyStore file is a symlink and change the target of the symlink

@sbordet I did all these, but moved the tests to test-integration as it needed a Server dependency. Maybe there is a better location for this.

joakime
joakime requested changes Jul 13, 2020
View reviewed changes
Copy link
Contributor

@joakime joakime left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some small changes.

jetty-server/src/main/config/modules/ssl-reload.mod Outdated Show resolved Hide resolved
jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslKeyStoreScanner.java Outdated Show resolved Hide resolved
jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslKeyStoreScanner.java Outdated Show resolved Hide resolved
@lachlan-roberts
changes from review
a83844d 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
sbordet
sbordet requested changes Jul 14, 2020
View reviewed changes
Copy link
Contributor

@sbordet sbordet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add some documentation in configuring-ssl.adoc.

jetty-util/src/main/java/org/eclipse/jetty/util/ssl/KeyStoreScanner.java Show resolved Hide resolved
jetty-server/src/main/config/etc/jetty-ssl-context-reload.xml Outdated Show resolved Hide resolved
@lachlan-roberts
add javadoc for KeyStoreScanner class
2541f1f 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts
add null checks in SslContextFactory for _factory, which could be nul…
c40ba69 
…l if reload failed

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts lachlan-roberts mentioned this pull request Jul 15, 2020
Merged
sbordet
sbordet approved these changes Jul 15, 2020
View reviewed changes
Copy link
Contributor

@sbordet sbordet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add *.adoc documentation as well.

jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java Outdated Show resolved Hide resolved
@lachlan-roberts
add documentation for ssl-reload, change exception message in SslCont…
0f7d99c 
…extFactory

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts lachlan-roberts merged commit bbb0f66 into jetty-9.4.x Jul 15, 2020
@lachlan-roberts lachlan-roberts deleted the jetty-9.4.x-5019-SslReload branch July 15, 2020 23:09
@lachlan-roberts lachlan-roberts added this to In progress in Jetty 9.4.31 via automation Jul 15, 2020
@lachlan-roberts lachlan-roberts moved this from In progress to Done in Jetty 9.4.31 Jul 15, 2020
This was referenced Jul 15, 2020
Closed
Closed
@mantryashutosh
Copy link

Does the hot reload work if the keystore file is a soft link ?

@joakime
Copy link
Contributor

joakime commented Sep 25, 2020

I wouldn't expect it to, as the soft link itself wasn't updated, meaning there's no file change (last modified) detectable.

@lachlan-roberts
Copy link
Contributor Author

@mantryashutosh it should still work if the keystore file is a soft link, we even have a test for this at KeyStoreScannerTest.testReloadChangingTargetOfSymbolicLink().

@mantryashutosh
Copy link

that's great, thank you so much @lachlan-roberts . Will test it out

@mh013370 mh013370 mentioned this pull request Sep 1, 2022
Open
6 tasks
@mlsorensen mlsorensen mentioned this pull request Mar 21, 2023
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sbordet sbordet sbordet approved these changes

@joakime joakime Awaiting requested review from joakime

Assignees
No one assigned
Labels
None yet
Projects
No open projects
Jetty 9.4.31
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@lachlan-roberts @sbordet @mantryashutosh @joakime